RFID Transplantation

One of the nice things about living in Singapore is its comprehensive mass-transit system. The SMRT blankets the 26-mile by 14-mile island nation with a network of 78 stations and an extensive bus system. This is in stark contrast to San Diego county, which is over 15 times the land area in size but has only 2/3rds the population and is covered by a trolley system with 53 stops. Needless to say, it’s impossible to live in San Diego without a car; while driving is a privilege, it’s a burden when you are required to do it. So, I’m quite happy now to have the option of taking the SMRT, safely answering emails and playing video games while the train takes me to my destination.

However, one small irritation I’ve encountered with the SMRT is that the “EZlink” RFID card system used in Singapore conflicts with the two other RFID subway cards in my wallet (the Shenzhen Tong and the Hong Kong Octopus card), so as I pass through the busy turnstyles, about half the time I get an invalid card error, causing much irritation among the people behind me as I sort through my RFID card collection to pick out the EZlink card.

Having seen Japan’s Suica system integrated into mobile phones, I thought, why not stick the EZlink chip inside my phone? Since the EZlink card also serves as a payment card, I can get around the city with nothing but my phone, buying beverages at 7-11, and paying taxi, bus and train fares while texting my buddies without carrying a scrap of cash.

As a general note, transplanting RFID chips is a much cleaner solution from both the legal and technical perspective versus cracking the security and programming your own RFID to be compatible with the existing payment system. While many of the security systems used in RFID are already broken or have serious known vulnerabilities, I can’t think of any country where the authorities would take kindly to you doing it. And, while the 3DES system used in the EZlink’s security isn’t the strongest out there, it’s still hard enough to crack that it’s just not worth the effort.

Transplanting the RFID chip ended up taking only a couple hours in the end; I think it’s a handy enough hack that I’m sharing the details on how to do it. Unfortunately, few of my American readers would have an immediate use for it, since RFID payment and subway transportation technology really hasn’t reached most of the US population…I must remark at this point that living overseas really highlights how behind the US is in some areas. I have 100 Mbit broadband service in my home for about US$60/month…and just a couple months ago they rolled out 1 Gbit fiber-to-the-home in my neighborhood, and I’m tempted to upgrade, although I’m not quite sure what, exactly, I’d do with a Gigabit connection. It’s also sad to find in the details of my Japanese mobile data plan that the US’s 3G service is classified in the same performance tier as Africa’s 3G services.

Note to locals: I picked the EZlink card (as opposed to the competing NETS system) because they have convenient top-up kiosks in the station where you just lay the card on a pedestal to recharge it. The NETS system requires you to put the card into a slot reader, or to give it to an agent, both of which are not an option when you’ve hacked the card into a mobile phone.

The EZlink card uses a 13.56 MHz contactless RFID system, so inside the card there’s an actual silicon chip, and an embedded antenna. Above is a photo of the card with the chip’s location (top right corner) revealed. The easiest way to locate the chip is to look at the reflection of a lightbulb off the surface and observe the slight bump underneath the surface where the chip is located. Outline the location with a marker and use a hobby knife to scrape away at the plastic.

Scraping away at the plastic on the opposing side as well makes the chip easier to release:

Lift the chip out very delicately, as there is a loop of copper wire bonded to the chip’s leadframe. If pulled too hard, the leadframe will be damaged — it must be kept intact, since an alternate antenna will be soldered to the leadframe later on. Below is a photo of the chip lifted up partially, revealing the copper wires.

Below is a photo of the chip’s leadframe, with arrows pointing to the solder points on the leadframe. Notice how the metal on the left and right side are not actually electrically connected to the metal paddle in the center, thus creating three electrically isolated regions. Take caution not to short them together.

Now that the chip is free, attach it to a suitable antenna. For this hack, I took a 13.56 MHz RFID bracelet and re-used the antenna from it. The bracelet is made by Precision Dynamics, a PDC Smart Superband 470. You can also make your own antenna, but RFIDs are so common it may be easier to scavenge an existing antenna out of any used 13.56 MHz RFID.

Cutting open the band is easily done with a pair of scissors:

Next, carefully cut the existing chip out of the antenna. Since it’s all printed on thin flexible plastic, this is easily done with a hobby knife.

Above is a photo of the partially-cut chip. When cutting the chip out, be sure to leave the antenna contacts on either side, as these will be used to solder to the EZlink RFID chip’s leadframe tabs. Below is a photo of the chip itself, after it has been freed of its bond to the antenna.

Next, lay some kapton tape down in the region of the RFID chip bonding area to protect the delicate antenna traces underneath. Slide the RFID chip in between the antenna contacts, and solder it down:

Soldering the chip takes a deft hand, since you’re soldering onto soft plastic that will melt if you apply too much heat. However, a bit of solder flux applied before the operation and a temperature-controlled iron set to the lowest temperature that will still melt solder makes things easier.

And that’s basically it! The final EZlink chip + grafted antenna assembly is very thin and flexible:

It’s thin enough to be taped inside the battery compartment of my local phone. Positioning of the antenna is important; it needs to clear the battery pack as much as possible, as the battery pack interferes with the RFID signal. Here’s a photo of the compartment with the back cover off:

I’m guessing the TSA would not be entertained if they found this on me given the recent use of mobile phones in cargo bombs…which is why I stuck it into my local-only feature phone, instead of my international-use Blackberry.

And, here it is, in my local SMRT station, showing the latest balance:

The final antenna+RFID assembly is thin and flexible enough to be hidden in a number of convenient locations; it could be put into the wristband of a watch, sewn into clothing (although, I wouldn’t put this through the wash), or integrated into jewelry.

This entry was posted
on Saturday, November 6th, 2010 at 4:55 am and is filed under Hacking.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

51 Responses to “RFID Transplantation”

There was a fad for doing this with the Oyster card (MiFare-based RFID) for the London Underground a few years back – people would dissolve the card (using acetone, if I remember rightly) and turn the chip+antenna into a bracelet. While it works fine, Transport for London did not approve of this, and people have had problems with ticket staff not accepting the “cards”.

I made a video showing how to remove the RFID from an Oyster card with acetone (see link above), it might be a bit easier than Andrew’s method as the antenna comes out and there’s no soldering involved.

However, the new version of the Oyster card encases the RFID apparatus in some kind epoxy rubber which doesn’t break down with acetone, so it’s not a universal solution (if you’ll excuse the pun).

I should try the acetone trick, that’s a good tip. There’s some kind of binding agent used to laminate the EZlink which could be dissolved with acetone, and the plastic itself feels like the type that might be susceptible to chemical attack. That being said, cutting with a knife is easy enough; and if I had to do a bunch of them I could probably use a die punch or a laser cutter.

Although, based on my estimation of where the wires run in the EZlink card (four turns around the perimeter), there’s a fair loop of wire in there, so the minimum dimension of what I can put it in is pretty big. I do like the antenna from the RFID bracelet because it’s quite small.

I can’t say for the EZ-pass, but for the Oyster (London) and Octopus (HK) cards, soaking the card in acetone for a day or so, then delaminating the two halfs will give you a fully usable, stripped RFID chip + antenna. It’s fairly easy to transplant into any other device.

But I already have a collection of cards in my passport cover (singapore employment visa, HKIA echannel card, plus a couple frequent flyer club cards), and I usually leave those all in the hotel room safe…which means that the subway card will also tend to get left in there as well. I’ve been more than once walking into the MTR and having to double back because I have no local currency or subway card, so I’ve come to just leave the card in the wallet.

On the other hand, if I don’t feel my wallet, keys or phone in my pockets, I usually realize that within ten seconds out the door because my pockets will feel too light. In other words, I’m pretty good at tracking my stuff at the wallet-level, but shuffling cards around every couple weeks depending on what country I’m in is too prone to error.

Not sure from the size of the phone but it seems like another option would be mill out the housing a bit to accomodate the thickness of the card. Maybe even just the battery compartment, or heat and stretch the battery cover a bit.
(Or even, if you’re really lazy, just put a self-adhesive pocket on the back of the phone. :)

Been here for a few months now, although I’m just getting around to selling my place now. If you know anyone looking for a nice ocean-view place in Cardiff, let me know! Terrible market for sellers, tho — I’m probably going to end up being a part of one of those depressing housing market statistics at the end of the day.

[…] today, it is becoming harder to avoid having some sort of RFID tag in your wallet. [bunnie], of bunnie:studios decided to ease the clutter (and wireless interference) in his wallet by transplanting the RFID […]

[…] today, it is becoming harder to avoid having some sort of RFID tag in your wallet. [bunnie], of bunnie:studios decided to ease the clutter (and wireless interference) in his wallet by transplanting the RFID […]

Wouldn’t it be easier, given that you seem to only have 3 rfid cards on you, to place some sort of barrier (A sheet of foil, or a rfid blocker holder or sleeve) inbetween two of the cards? Then scanning the back of your wallet would let only the rfid card on that side work, and scanning the front side would let the other one work.

In the San Francisco area, they just started rolling out an RFID system that allows you to use one card for the half dozen transit systems in the area, and manage your payments online, like a civilized nation. I’m definitely taking a hard look at my Clipper card…

Just to save anyone else the bother: I tried the acetone trick with a Go card in use in Brisbane, and sadly they are of a type designed to self-destruct on opening, with no solid wires, just fine metal tracks that crumble to dust, and the chip itself seems to have been likewise destroyed.

Hooray for the wonders of modern manufacturing processes, and boo for spoiling my fun.

[…] RFID Transplantation @ bunnie’s blog… …the SMRT is that the “EZlink” RFID card system used in Singapore conflicts with the two other RFID subway cards in my wallet (the Shenzhen Tong and the Hong Kong Octopus card), so as I pass through the busy turnstyles, about half the time I get an invalid card error, causing much irritation among the people behind me as I sort through my RFID card collection to pick out the EZlink card. […]

Quite the contrary. I carry three RFID cards, and that’s the problem–they interfere. I have no problem carrying cards, I just don’t want to carry a separate wallet to keep the cards from interfering. :-) And yes, there’s a lot of “easier” ways to handle it (like take out the other cards) but that wouldn’t be fun now, would it?

Nokia have been showing off ‘virtual’ RFID cards for quite some time now, I don’t think anyone else is doing it right now. You download a virtual card, say the sub way lot offer a template, along with a few banks already on the action. You phone uses this to emulate a genuine card, you can have hundreds of cards in a single phone and manage which are on/off. Solves the problem you have here.

while I like the concept, the implementation for me as a user sucks. I’m not even sure which machine I can use to check the status — I had to go online (meaning traveling home) to figure it out, and the rules for monthly pass users are different enough to be confusing.

[….]RFID Transplantation @ bunnie’s blog… …the SMRT is that the “EZlink” RFID card system used in Singapore conflicts with the two other RFID subway cards in my wallet (the Shenzhen Tong and the Hong Kong Octopus card), so as I pass through the busy turnstyles, about half the time I get an invalid card error, causing much irritation among the people behind me as I sort through my RFID card collection to pick out the EZlink card. Having seen Japan’s Suica system integrated into mobile phones[…]